Debian 7 Installation : Part 1 - ISO Image Verification

Due to unforeseen reason, I need to revive back my unused server and install Debian 7 (Wheezy), the latest stable version on it. It has been a while since I last use Debian as my primary GNU/Linux distro compare to its siblings, Ubuntu. Some notes regarding the installation procedure.

Download the ISO CD 1 image as well as the signed checksum files (for verification) from the cdimage site. I opted to use the first CD image which we will later burn into the USB thumbdrive as installation media.

Due to recent exposure to keysigning, is a good practice validate the ISO image using the checksum tool and verify the authenticity of the ISO image. It took me a while of googling to find the proper step-by-step guide (in Chinese but the instructions are quite obvious) to validate and verify the downloaded iso images. Funny how the official documentation does not even has these instruction.

First, let's verify the checksum file to confirm this image was built by the authorized people. As the error message below shown, we're missing the public key to verify the signed checksum.

Find and add the required public key that signed this checksum file. We can obtain this public key from Debian's own key server. Take note of the last line where this key is still not fully valid or trustworthy enough according to the PGP trust model.

Alternatively, you can find the list of users that signed the public key 6294BE9B by using debian-keyring package.

$ sudo apt-get install debian-keyring
$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
You can only verify the identity of the Debian CD signing through the concept
of Web of Trust [7] by going through the list of people above either by signing
their public key (which you've meet them in real life or trust them through
fingerprint exchange) or ask them directly.

About

Disclaimer

Opinions expressed here are my own and do not represent the views of my current or past employers.

All content provided in this blog is for informational purposes only. I cannot guarantee the accuracy or completeness of all information supplied here or found by following any link on this site and will accept no liability for any loss or damage incurred.